NIST, DHS push for more engagement around cyber framework

Lauren Larson reports.

Six weeks into the implementation of the White House's framework to help protect the nation's critical
infrastructure, federal officials say they are seeing progress, but also areas
that need help from Congress.

Despite initial skepticism from industry, the National Institute of Standards and
Technology and the Homeland Security Department are figuring out how to keep the
private sector engaged and participating in improving cybersecurity.

"How do we continually, in a phased approach, maintain the private sector's
involvement as we do the adoption? We will learn. We're putting all our resources
out to the private sector. We are not asking them to report if they've used it or
not," said Phyllis Schneck, deputy undersecretary for cybersecurity at the
National Protection and Programs Directorate at DHS. "We want to look at our
outreach, study our metrics and stay involved with large companies. And [we're]
asking their suppliers to be more secure, so that when you connect to a smaller
company, you don't endanger the larger company. ... A lot of basic cyber hygiene
and
guidelines that are mentioned in this framework could have prevented a lot of the
attacks that we've seen thus far."

Schneck came to DHS from the private sector six months ago. She witnessed phase one of building the cyber
framework from the industry perspective.

"The success of this, as I saw in the first phase from the private sector, comes
from the fact that the private sector is very bought-in," she said. "They know
that they designed this thing with us, with NIST. They have a lot of trust in
that. So, we want to maintain their input as we build how we rate the success."

Every company has a different level of awareness in terms of cybersecurity.
Schneck said small businesses may pose the biggest threat to the security of all
companies.

"Small to medium business, that's a huge risk. These are companies that have no
idea, in many cases, that they have something to protect, and yet they are
connecting to everyone else, making the rest of us less secure with very small
budgets," said Schneck.

She emphasized the importance of building a culture of cybersecurity.

"Many in the field say that there are two kinds of companies and entities right
now: those who know they're compromised and those who don't," Schneck said. "So
the issue is, how do we raise cybersecurity to a business discussion? I think the
framework and the voluntary program will get it to the boardroom, because it
becomes part of the risk. We don't force people to lock their doors and, yet, they
do. So, this is part of a culture of security that has been talked about for 12
years."

Liability protection

While DHS and NIST are trying to build the partnership, Congress needs to address
liability protection for companies.

Sen. Ron Johnson (R-Wis.) said fear of legal entanglements may be hindering
participation. He pushed for broader liability protection, saying the less likely
a company is to be sued, the more likely it is to share information.

"Right now, it seems to me that we are erring on the side of limited liability
protection or no liability protection," he said. "As a result, we're not getting
the information that everybody believes is absolutely crucial if we're going to
provide cybersecurity."

Schneck said companies want to know that reporting to the government is not going
to hurt them in some way. She said the more comfortable the private sector is with
the relationship, the more information will come in. She said the administration's
plan for targeted liability would be helpful.

"I think that the targeted liability protection that the administration is looking
at right now would help us because it would protect companies in the instances
defined to share information, and they wouldn't get hurt by that and wouldn't be
liable, nor would their shareholders," she said. "It wouldn't be so broad that it
threatens — even the perception of threatening — our privacy and civil
liberties, because we are fighting to protect our way of life. So, it's a
balance."

She also offered a word of caution.

"We need the experts from the science side, the legal side, the administration to
find that balance. Because we don't want to err on the side of not honoring the
privacy and civil liberties that we are all here to fight to keep," Schneck said.

What about the workforce?

DHS and NIST also must address workforce issues, as finding the people to do the
cyber work hasn't been easy, officials say.